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Abstract 

We address a cryptanalysis of two protocols based on the supposed difficulty 
of discrete logarithm problem on (semi) groups of matrices over a group ring. 
We can find the secret key and break entirely the protocols. 
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1.Introduction 

The Diffie-Hellman key agreement protocol is the hrst published practical 
solution to the key distribution problem, allowing two parties that have never 
met to exchange a secret key over an open channel. It uses the cyclic group 
F*, where ¥g is the hnite held with q elements. The security of this protocol 
is based on the difficulty of computing discrete logarithms (DL) in the group 
F*. There are several algorithms for computing discrete logarithms, some of 
them are subexponential when applied to F*. 

It is important to search for easily implementable groups, for which the 
DL problem is hard and there is no known subexponential time algorithm 
for computing DL. The group of points over Fg of an elliptic curve is such a 
group. 

In [8], the group of invertible matrices with coefficients in a hnite held was 
considered for such a key exchange. In [6], using the Jordan form it was 
shown that the discrete logarithm problem on such matrices can be reduced 
to the same problem over some small extensions of the hnite base held. 

In [4], the authors consider the semigroup of matrices ( 3-by-3 matrices) over 
the group ring F7[S'5], where S'5 is the group of permutation of {1, 2, 3,4, 5}. 
The security of this protocol is based on the supposed difficulty of the dis¬ 
crete logarithm problem in the (semi) group of matrices with coefficients in 
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Moreover in [5], the authors propose the same semigroup as a platform for 
the Cramer-Schoup cryptosystem which is a generalization of ElGamal’s pro¬ 
tocol. Here the security is based on the supposed difficulty of the discrete 
logarithm problem in the group of invertible 3-by-3 matrices with coefficients 
in F 7 [S' 5 ]. 

In [1], [2] and [7] a cryptanalysis of [4] is proposed. Their methods are some¬ 
how different. In [1], the problem of discrete logarithm in a semigroup is 
reduced to the same problem in a subgroup of the same semigroup. In [2] 
one uses a slight modihcation of Shor’s quantum algorithm to hud the period 
of a singular matrix (there is no notion of order for such a matrix) and therby 
solving the discrete logarithm problem in semigroups. In [7], Mat 3 (F 7 [S' 5 ]) 
is embeded in Mat 36 o(F 7 ) and then one uses the same procedure as in [6] 
(adapted to singular matrices). The conclusion of all three papers above is 
that using a quantum computer one can break the key exchange protocol of 

[4]. 

In contrast to the above analysis we use the irreducible representations of 
the group then using the fact that the algebra F 7 [S' 5 ] is semi-simple, we 
give an isomorphism between this algebra and an algebra of block matrices 
with coefficients in F 7 . Then we use this isomorphism to give an isomorphism 
between Mat 3 (F 7 [S' 5 ]), and still another algebra of block matrices over F 7 . 
To do so, we combine the same blocks of the first isomorphism. 

This way we reduce the discrete logarithm problem over Mat 3 (F 7 [S' 5 ]), to 
the same problem over block matrices with coefficients in F 7 . The maximum 
size of a block is 18, reducing dramatically the computations. Now we can 
apply the same procedure (eventually modihed for singular matrices) as in 
[4], to each block and resolve the problem of discrete logarithm entirely (us¬ 
ing actual computers) and hnd the secret key. So the conclusion is that the 
platform proposed in [4] and [5] are simply insecure. 

The rest of this paper is organized as follows. Section 1, will be devoted to 
the irreducible representations of S' 5 . In section 2, we explain the isomor¬ 
phism between matrices with coefficients in F 7 [S' 5 ], and block matrices with 
coefficients in F 7 , and show that the protocols proposed in [4] and [5] can be 
broken. Finally we conclude with some remarks in section 3. 

2. Irreducible representations of 

For our purpose, it will be easier to use the following presentation of S 5 . We 
note W := (12) and Z := (12345). The group S 5 is dehned by generators 


2 



W, Z and relations T, where T is the following set of relations: 


= id 

= id 

{ZW)^ = id 

WZ-^WZW = Z-^WZWZ-^WZ 
[If", Z-'^WZ'^] = id 
[W, Z-^WZ^] = id 

The group has two distinct representations of dimension one (namely 
the trivial one and the signature), two non isomorphic irreducible represen¬ 
tations of dimension four, two non isomorphic irreducible representations of 
dimension five, and one irreducible representation of dimension six. We give 
the images of the generators Z and W by these representations , and one 
can verify the relations T, for the images, thereby proving that one dehnes 
morphisms from to matrix groups. One can compare the trace of these 
morphisms with the character table of to be sure we obtain all the irre¬ 
ducible representations of 6 * 5 . 

To construct these representations one can follow the general description of 
[3], using Young polytabloids, to construct the Specht modules which give 
the irreducible representation of 6 * 5 . 

W = (12) I —^ y4i © A[ © ^4 e ^4 e ^5 ® ^5 ® ^6 where 
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3. Cryptanalysis of protocols 


In [4] the authors propose the Difhe-Hellman key exchange using 3-by-3 
matrices over F 7 [S' 5 ]. So Alice and Bob, take a public matrix M G Mat 3 (F 7 [S' 5 ]) 
which may be non-invertible. Alice chooses a secret integer n, computes M” 
and sends it to Bob. Bob chooses a secret integer n', computes and 
sends it to Alice. Every party can now compute the common key M"'"'. 

In [5], they use the same platform for the Cramer-Schoup cryptosystem which 
we do not recall. We underline only that there is a public key M as above, 
and during the protocol among other data sent, there is M” where n is the 
secret key. So if we are able to give a solution for the discrete logarithm 
problem in the case of M G Mats(F 7 [As]), in both cases the platform pro- 
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posed is not secure. That is what we are going to explain. 

As 7 does not divide jS'sl = 120 , the algebra F7[S'5] is semi-simple and 
Maschke’s theorem asserts that this algebra is isomorphic to a direct sum 
of matrix algebras (over F7), in other words it is isomorphic to an algebra of 
block matrices over F7. Let us denote by / this isomorphism. To be of any 
use for our purpose, we have to make precise this isomorphism explicitly. The 
F7-linear extension (to F7[S'5]) of the morphism of using the irreducible 
representations of S5 given on generators W = ( 12 ), Z = ( 12345 ) in section 
2, gives the isomorphism / between F7[S'5] and its image. So for any element 
X = ^ F7[S'5] , Oj G F7 and Xi G S5 we can compute its image as a 

direct sum of matrices with coefficients in F7. 

Up to now we have represented a matrix M G Mats(F7[As]) as a matrix with 
coefficients in F7 by replacing each coefficient Mij of M by f{Mij). For ex- 


ample Mu is replaced hj A = 


04 


05 


V 


where a*, a' 


0-6 / 


are block matrices with coefficients in F7 and the indices denote the size of 
the block. 

Let us denote by A, B, C, E, F, G, H, I, J the block matrices correspond¬ 
ing to Mil, Afi2, Mi3, M21, M22, M23, M31, M32, M33. Then S is a block matrix 
which we represent the same way as A by denoting 61, 5 'i, 64, 64,... its blocks. 
We use the same notations for C,D, .... It is an easy computation to prove 
that there is a natural isomorphism between matrices 
ABC 

I 

and the block matrix whose first block is obtained by com¬ 



posing (side by side) the first blocks of A, B,C, D, ...,namely 


which gives a 3 x 3 matrix over F7. 

The second block is obtained by composing the second blocks of A, B,C, D,..., 



namely 


a^ b[ c'l 




and so on. 
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To resume, we represent the matrix M G Mat 3 (F 7 [S' 5 ]) by a block matrix 
in F 7 whose blocks are of size 3,3,12,12,15,15,18. We represent also the 
matrix M” by a block matrix with the same size 3, 3,12,12,15,15,18 in F7. 
Now we can apply the same technics as in [ 6 ], namely write the Jordan form 
of each block in some small extension base F'j?^ and hnd the secret key n. 
Note that for singular blocks, we need a slight modihcation of the procedure 
of [ 6 ], as proposed in [7]. 


3. Conclusion 

We showed that using matrices with coefficients in F 7 [S' 5 ] as a platform for 
Diffie-Hellman key exchange is not secure. One may wonder if replacing F 7 
by F 2 , F 3 or F 5 give something essentially different. In fact in these cases the 
group algebra is not semi-simple anymore and Wederburn’s theorem cannot 
be applied. But these new algebras are not far from being semi simple; in fact 
they differ from being semi simple by a nilpotent radical, and the quotient 
is semi simple and then the same procedure as explained in section 2 can be 
applied. To resume we believe that no secure cryptographic protocol can be 
based upon these algebras. 

Furthermore replacing the group S 5 by some other hnite group G, can be 
cryptanalyzed the same way using the irreducible representations of G. 
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